You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Instead of using the number of bytes to capture and an offset something similar to the meta_content would work nicely. Knowing the exact offset and length can be difficult to determine and be accurate. The addition of a length to capture can be great option as we may not need to capture all 1000 bytes but only the first 100. We can use an ending delimiter or stop at the first non-base64 character.
Full Capture: Ending Delimiter base64_capture:"powershell -enc|20|%sagan%|20|"; content:"hello"; base64_data; base64_contains; base64_nocase;
Full Capture: Non-base64 Character base64_capture:"powershell -enc|20|%sagan%", "rfc4648"; content:"hello"; base64_data; base64_contains; base64_nocase;
Base64 decoding similar to what Suricata has.
Suricata's implementation:
base64_decode:bytes <value>, offset <value>, relative;Instead of using the number of bytes to capture and an offset something similar to the
meta_contentwould work nicely. Knowing the exact offset and length can be difficult to determine and be accurate. The addition of a length to capture can be great option as we may not need to capture all 1000 bytes but only the first 100. We can use an ending delimiter or stop at the first non-base64 character.Full Capture: Ending Delimiter
base64_capture:"powershell -enc|20|%sagan%|20|";content:"hello"; base64_data; base64_contains; base64_nocase;Full Capture: Non-base64 Character
base64_capture:"powershell -enc|20|%sagan%", "rfc4648";content:"hello"; base64_data; base64_contains; base64_nocase;Partial Capture:
base64_capture:"powershell -enc|20|%sagan%", 100;content:"hello"; base64_data; base64_contains; base64_nocase;Sample Log:
HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Enc aGVsbG8gd29ybGQK EngineVersion=Suricata Documentation:
https://suricata.readthedocs.io/en/suricata-6.0.10/rules/base64-keywords.html?highlight=base64#base64-keywords
The text was updated successfully, but these errors were encountered: